System funding will be tied to security, OMB says

MARCH 2 Funding for information technology will be conditional to whether a system has adequate security measures, the Office of Management and Budget said in new guidance.

"The most effective way to protect information and systems is to incorporate security into the architecture of each. This approach ensures that security supports agency business operations, thus facilitating those operations, and that plans to fund and manage security are built into lifecycle budgets for information systems," OMB Director Jacob J. Lew said.

"In general, OMB will consider new or continued funding only for those system investments that satisfy [the OMB criteria] and will consider funding information technology investments only upon demonstration that existing agency systems meet these criteria," Lew said.

For systems that do not meet the standards, agencies will need to work with OMB to establish a process and timetable for bringing systems into compliance, he said.

The document outlines six security principles:

Effective security is an essential element of all information systems.

Effective privacy protections are essential to all information systems, especially those that contain substantial amounts of personally identifiable information. New information technologies should sustain, not erode, the privacy protections.

The protection of federal computer resources must be commensurate with the risk of harm that would result from any misuse or unauthorized access to such systems and the information flowing through them.

Security risks and incidents must be managed in a way that complements and does not unnecessarily impede agency operations.

A strategy to manage security is essential and should be based on an ongoing cycle of risk management, to be developed in coordination with and implemented by agency program officials.

Agency program officials must determine an acceptable level of risk to systems under their control, ensure that adequate security is maintained to support and assist their programs, and ensure that security controls are balanced with program needs and operational necessities.